Discussion:
OpenLDAP proxy to AD
Steve Harris
2005-02-03 19:01:43 UTC
Permalink
Hi all,

I'm setting up OpenLDAP as a proxy to AD so that LDAP queries directed
to the OpenLDAP proxy then connects to the AD via LDAPS.

OpenLDAP is up and running and the LDAP backend is working fine..

When I submit a query to the proxy server (using ldapsearch) I do not get
a response (the same query directly to the AD returns what I expect).

e.g. (query modified to protect the innocent :)

ldapsearch -v -h 127.0.0.1 -b "ou=bottom,dc=middle,dc=top"
"samaccountName=steve"

Running slapd with '-d -1' reveals the following ;

get_ava: unknown attributeType samaccountName


I also have an attribute map in place and the debug reveals the following
suring startup ;

/usr/local/etc/openldap/slapd.conf: line 35: warning, destination
attributeType 'samaccountname' is not defined in schema


I'm guessing that I need an Active Directory schema of some form - is one
available (I've trawled Google and the mailing list archives) - any ideas
?

Cheers - Steve
Pierangelo Masarati
2005-02-03 22:13:22 UTC
Permalink
Post by Steve Harris
Hi all,
I'm setting up OpenLDAP as a proxy to AD so that LDAP queries directed
to the OpenLDAP proxy then connects to the AD via LDAPS.
OpenLDAP is up and running and the LDAP backend is working fine..
When I submit a query to the proxy server (using ldapsearch) I do not get
a response (the same query directly to the AD returns what I expect).
e.g. (query modified to protect the innocent :)
ldapsearch -v -h 127.0.0.1 -b "ou=bottom,dc=middle,dc=top"
"samaccountName=steve"
Running slapd with '-d -1' reveals the following ;
get_ava: unknown attributeType samaccountName
I also have an attribute map in place and the debug reveals the following
suring startup ;
/usr/local/etc/openldap/slapd.conf: line 35: warning, destination
attributeType 'samaccountname' is not defined in schema
I'm guessing that I need an Active Directory schema of some form - is one
available (I've trawled Google and the mailing list archives) - any ideas
?
Ask AD (i.e. the schema under "subschemasubentry" in the rootDSE); you
likely need to do some manual work to cast stuff in OpenLDAP's
slapd.conf format for "attributeTypes" config statements.

p.





SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
Jon Roberts
2005-02-03 21:28:11 UTC
Permalink
Post by Steve Harris
I'm guessing that I need an Active Directory schema of some form - is one
available (I've trawled Google and the mailing list archives) - any ideas
?
There's microsoft schema files in OpenLDAP CVS:

http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/schema/?hideattic=1

The one called microsoft.schema has:

attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )

Jon Roberts
www.mentata.com
Steve Harris
2005-02-03 23:24:01 UTC
Permalink
Hi there,

Thanks a bunch for the reply. It's certainly got me past that problem and
the debug output shows that the attribute is being accepted.

When I now submit my query the debug tells me that I have an illegal
value.

ber_dump: buf=0x00263e98 ptr=0x00263ec7 end=0x00263ee2 len=27
0000: a3 17 04 0e 73 61 6d 61 63 63 6f 75 6e 74 4e 61
....samaccountNa
0010: 6d 65 04 05 73 74 65 76 65 30 00 me..steve0.

get_ava: illegal value for attributeType samaccountName

The query is really simple and works directly with AD.....

Any ideas ?

Regards - Steve


-------------------------------------------------------------------------
NOTE: This message is confidential and may not be disclosed to anyone
without the express written consent of the sender.
-------------------------------------------------------------------------
Steve Harris - Technical Analyst - Myra Systems CORP. - Ph : 250-952-6361

He didn't administer a reign of terror, just the occasional light shower.
- Terry Pratchett, Sourcery
Post by Jon Roberts
Post by Steve Harris
I'm guessing that I need an Active Directory schema of some form - is one
available (I've trawled Google and the mailing list archives) - any ideas
?
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/schema/?hideattic=1
attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
Jon Roberts
www.mentata.com
Dusty Doris
2005-02-04 20:58:42 UTC
Permalink
Post by Steve Harris
Hi all,
I'm setting up OpenLDAP as a proxy to AD so that LDAP queries directed
to the OpenLDAP proxy then connects to the AD via LDAPS.
OpenLDAP is up and running and the LDAP backend is working fine..
When I submit a query to the proxy server (using ldapsearch) I do not get
a response (the same query directly to the AD returns what I expect).
e.g. (query modified to protect the innocent :)
ldapsearch -v -h 127.0.0.1 -b "ou=bottom,dc=middle,dc=top"
"samaccountName=steve"
Running slapd with '-d -1' reveals the following ;
get_ava: unknown attributeType samaccountName
I also have an attribute map in place and the debug reveals the following
suring startup ;
/usr/local/etc/openldap/slapd.conf: line 35: warning, destination
attributeType 'samaccountname' is not defined in schema
What's your slapd.conf look like on that map entry?

I was able to map using back-meta with this

map attribute mail userPrincipalName

This mapped the AD userPrincipalName to the opendlap mail. I didn't need
to define what userPrincipalName was in openldap.

This is using openldap 2.1.30.

Loading...